Speak Freely is a free and open-sourced software used for efficient and
secure (encrypted) voice communication over the Internet. It was written
by John Walker, and runs on Windows and Unix. Homepage :
http://www.fourmilab.ch/speakfree/

During a source code audit, the Hackademy staff has found multiple
serious local and remote security holes in this software.

--[ Details ]--

* At least three exploitable stack buffer overflows were found. A single
UDP packet sent to either the data port(2074/udp) or the control port
(2075/udp) can crash the sfspeaker program in a way suitable for running
arbitrary supplied code.

* Usage of temporary files is insecure, making possible for a malicious
local user to overwrite with arbitrary data any file owned by the user
running Speak Freely.

* Speak Freely has a network feature allowing to send back the same UDP
packet he received. Because the source IP of an UDP packet can be
spoofed, there is a potential for relaying malicious packets into a
protected network (NATed or firewalled) if a computer having access to
this network is running Speak Freely.

* There are also a few static buffer overflows, more difficult to exploit.

--> The text attached to this advisory is taken from the file 'log.doc'
in the tarball for Speak Freely 7.6-A2, which is immune to most of these
issues. We also added some technical comments. Read this text for more
details about the bugs we spotted and how they were adressed.

--[ Impact ]--

A remote attacker, as well as a malicious local user, can execute
arbitrary code on the system with the privileges of the user running
Speak Freely.
These are not theoretical issues : we wrote a functional PoC exploit for
the ADPCM buffer overflow on Linux.

--[ Vulnerable/Patched Versions ]--

Speak Freely 7.5 for Unix is vulnerable to all of these issues.
Speak Freely 7.1 for Windows and Unix (and previous releases) are
vulnerable to some of these issues.